[et_pb_section admin_label=”section”][et_pb_row admin_label=”row”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]
The attack by the Stuxnet virus against Iran in 2010 raised awareness of the vulnerability of industrial systems known as SCADA (Supervisory Control And Data Acquisition). However, for how long have these threats existed? What are the means used by cybercriminals to target industrial systems? What are the impacts of these attacks? In this article, Ruchna Nigam, Security researcher at Fortinet’s FortiGuard Labs shares expert insights into SCADA attacks.
SCADA is the term describing systems that are used to control physical equipment. These systems are used in many industrial applications, like for driving turbines at power plants, oil and gas pipelines; at public facilities like metal detectors at airports; and even in private facilities e.g. to control/monitor processes like heating, ventilation and energy consumption. The fact that an attack on such a system can produce often significant physical damage makes SCADA systems a particularly attractive target for hackers.
Unfortunately, it took an attack the scale of Stuxnet to raise awareness among industrial companies about the potential destructive impacts of these cyber threats. While traditional computer attacks usually result in non-material damage, Stuxnet showed the destructive capacity of advanced worms and viruses in affecting not only corporate data but also water management systems, chemical product production and energy infrastructures.
Stuxnet, however, is the not the first virus targeting the SCADA environment. Here is an overview of some significant known attacks targeted at SCADA over the years, classified into three categories :
1982: the first SCADA attack may have happened as early as in 1982. According to a collection of documents called the “Farewell Dossier”, the US Central Intelligence Agency (CIA) was involved in the sale of ‘altered’ products and equipment to the Soviet Union. A Trojan Horse was added to equipment and led to an explosion on the Trans-Siberian gas pipeline. This was never officially confirmed in the Farewell Dossier which only mentioned the installation of flawed turbines but not the accident.
1999: There were reports of an attack on Gazprom, the Russian oil corporation, where a Trojan horse was installed on their pipeline system, with the help of an insider. The attack is reported to have disrupted the control of gas flows for a few hours but this was never confirmed by Gazprom.
Several SCADA systems have come under attack by viruses that weren’t specifically targeting them but happened to find them.
2003: Davis-Besse Nuclear Power Station and CSX Corporation in the US were respectively victims of the Slammer and Sobig worms. Slammer caused a denial of service and slowed down the network whereas Sobig sent out spam via e-mail.
Physical impacts: None for Davis-Besse Nuclear Power Station, although Slammer took down the SCADA network on another undisclosed utility. The Sobig virus infected a computer system in CSX Corporation’s headquarters, shutting down signaling, dispatching and other systems, resulting in . train delays.
2004: Transportation companies like British Airways, Railcorp, Delta Airlines were hit with the Sasser worm that exploited a buffer overflow vulnerability to propagate to other vulnerable systems. Some aggressive variants may have caused network congestion.
Physical impact: Train and flight delays and flight cancellations in some cases.
2009: The French Navy was victim of the Conficker worm. It exploited a Windows vulnerability, or guessed administrator passwords to install itself. The worm could then propagate to other vulnerable machines, self-update and download and install further malware.
Physical impact: Failure to download flight plans leading to grounded aircraft.
Confirmed targeted attacks
Here are the attacks that were specifically designed for and targeted at SCADA systems.
2009: Oil, gas, and petrochemical companies such as Exxon, Shell, BP, among others were hit by the Night Dragon virus that was distributed using spearphishing. The virus allowed the infected computers to be controlled remotely by attackers.
Physical impact: None, although it is reported that attackers exfiltrated operational blueprints for SCADA systems and even collected data.
2010: Stuxnet was a computer worm found spying on and reprogramming industrial systems at Iran’s Natanz nuclear facility. This virus intercepted and made changes to data to a Programmable Logic Controller (PLC).
Physical impact: Destroyed a fifth of Iran’s nuclear centrifuges.
2014: The two next viruses were found in the wild in 2014 but there were no reports received from the impacted organizations. Havex was distributed as trojanised SCADA software downloads from compromised vendor websites. It scanned the local network for servers that collect data from industrial equipment and sent collected data to a command and control server. Here, the hackers’ motivations were data stealing and spying.
Physical impact: None
Blacken was found on a command and control server of an existing botnet. It targets users of the SCADA software, GE Cimplicity, and installs executables to the software’s home directory. Some of these executables are bots that can be commanded remotely. It also references Cimplicity design files but their exact use is not yet understood.
Physical impact: No reported cases
Last but not least, according to a report by the German Federal Office of Information Security (BSI), a targeted attack on the computer network of a German steel mill in 2014 resulted in massive damage. The attackers used spear phishing e-mails and sophisticated social engineering to gain access to the steel mill’s office network, leading them to the production network. The report describes their technical skills as ‘very advanced’, with an expertise not only in traditional IT security but also extending to detailed technical knowledge of Industrial Control Systems (ICS) and the production processes being used.
Physical impact: Although details of the malware itself are vague, the report states that the attack led to the breakdown of individual control components, that “led to the”uncontrolled shutdown of a blast furnace, leaving it in an undefined state and resulting in massive damage.”
In conclusion, based on the instances listed above, the attacks are far from widespread despite their lucrative SCADA target. Except Stuxnet and the virus targeting the German steel mill, no other attack has managed to cause physical destruction. The reason? These sophisticated attacks require not only advanced technical skills and knowledge of the infrastructure under attack, but also significant financial resources, that all cybercriminals do not have. Looking at how cybercrime continues to evolve, one may expect such destructive attacks to increase, hinting at the need for companies to start preparing for them.